flutter_appauth icon indicating copy to clipboard operation
flutter_appauth copied to clipboard

Published 20 hours ago verified publisher icon MaikuB

Support for handling Universal Links in iOS with PKCE OAuth flow?

Open shobhitpuri opened this issue 3 years ago • 4 comments

Thanks for creating and maintaining the wrapper around the native SDKs.

Issue: When using Flutter to develop the apps, I've implemented universal links for iOS. The https link open the iOS app, when it's clicked from outside the app, so they are set up properly. However, when the same URL is received as a callback URL as part of PKCE OAuth flow, there is no AuthorizationResponse received, when appAuth.authorize() is called, and the web view instance opened within the app doesn't close as well. This is with iOS 15.2, iPhone 13.

  const _config = AuthorizationServiceConfiguration(
    authorizationEndpoint: '.../authorize',
    tokenEndpoint: '.../token',
  );

  try {
    final result = await _appAuth.authorize(
      AuthorizationRequest(
        clientId,
        callbackURI,
        serviceConfiguration: _config,
        preferEphemeralSession: true
      ),
    );

When implementing PKCE OAuth flow with this library, an instance of ASWebAuthenticationSession seems to open within the app (since it seems the iOS library uses it for iOS 12+ and SFSafariViewController for pre iOS 12). After the user logs in successfully, the https link callback comes with an authorization_code as a 302 redirect. However, instead of closing the webview, and redirecting the flow back to the app, the URL is redirected within the webview. The weird part is that the same URL works when clicked outside the app. Has anyone experience this? And how did you fix it?

shobhitpuri avatar Feb 06 '22 22:02 shobhitpuri

FYI this isn't something I've experienced doing so if you're running across the issue, you'd likely have better luck asking elsewhere or see if you can submit a fix for yourself. Potentially could be a known issue with the iOS SDK too

MaikuB avatar Feb 15 '22 09:02 MaikuB

This sounds a lot like the issue I'm facing... can someone with IOS experience fix this shit so we can move on :D

bigDado avatar Feb 24 '22 13:02 bigDado

@shobhitpuri Did you end up finding a solution? I'm facing the same problem

MathiasCochet avatar May 19 '22 09:05 MathiasCochet

@MathiasCochet We ended up using custom schema instead of universal link for callback. It is safe to do so for iOS 12+, since the library uses ASWebAuthenticationSession released by Apple specially for authentication use case. If you read the documentation, it says:

ASWebAuthenticationSession ensures that only the calling app’s session receives the authentication callback, even when more than one app registers the same callback URL scheme.

So we need not worry about other malicious apps handling the callback.

shobhitpuri avatar May 20 '22 06:05 shobhitpuri

Closing as OP has switched custom scheme and there's been no one from the community who has come forward to submit a PR should there actually be an issue with the plugin

MaikuB avatar Oct 08 '22 05:10 MaikuB